on a Linux system there are lot's of users by default: daemon, bin, sys, games, etc.

According to my /etc/passwd most of these users have a shell assigned (/bin/sh) which seems some kind of insecure to me. My naive thinking would say: Only give those users a shell that may login to the server.

Is my thinking wrong?

If not completely wrong: Can I disable the shell for "daemon" and "www-data" without having side effects (e.g. the system wont start or the Apache PHP cannot excute system calls)?

2 Answers
2

I am curious what Linux distribution you are seeing this in, because most distributions that I know of (and I just verified this on CentOS and Gentoo) have the shell for such users "disabled" as you are describing.

So, yes, it is safe to set the shell to /bin/false or /sbin/nologin. But maybe first figure out why they are not set to that value in the first place. Maybe this is something specific for the system that you are looking at.

Sorry I forgot that important point. It is a Debian Squeeze distribution. I do not exactly know the installation settings because I got it pre-installed in a VPS from an image. However it was something like a minimal setup beacuse most programs (incl. vim) were not included in the image. Thanks for the links!
–
BurninLeoOct 22 '12 at 6:48

Those users that you have asked about are not for direct login but for running a program/process under them, if at all. I would imagine that assigning no shell to them will harm anyway. But one good check is to check the /etc/shadow file and see whether the second field is X (crossed out) for those accounts. Meaning they wouldn't be able to login and get a shell.

So, my advice would be to check the /etc/shadow file first and then if you wish, go ahead and disable the shell for those users and just let the system run as usual and see whether anything breaks. If none, then you are good to go. If something breaks and you find out it is indeed for changing the shell to /bin/false (which I highly doubt would happen) then revert to original. At that time, we will require to think of further security plugins :)

Hi! /etc/shadow is a good point - all users are disabled (*) for login, so they won't actually need a shell. Or will they? unix.stackexchange.com/questions/28888/… mentions in the other answer sais that cronjobs need the shell as well.
–
BurninLeoOct 22 '12 at 6:56

Yeah, if they are all *-ed then they won't need a login shell.
–
Soham ChakrabortyOct 22 '12 at 7:42